Redefinition of Cause#getShortDescription
This site is the new docs site currently being tested. For the actual docs in use please go to https://www.jenkins.io/doc. |
The Cause#getShortDescription
method was defined to return a "one line" short snippet of HTML in Jenkins 2.314 and earlier, LTS 2.303.1 and earlier.
To prevent further security vulnerabilities like SECURITY-2499 from having an impact on Jenkins users, the method has been redefined to return plain text in Jenkins 2.315 and LTS 2.303.2, and its output is no longer rendered as HTML on the UI.
If an implementation of #getShortDescription
returns a string that includes user-specified content, plugin maintainers are advised to consider both the behavior of older and newer Jenkins releases if their plugin can be used on Jenkins 2.314 and earlier.
"User content" in this case refers to any dynamic content that is specified locally or provided by another system that Jenkins integrates with and is not guaranteed to be safe to interpret as HTML.
- No HTML intended, does not contain user content
-
This is safe to use and no adaptation to the new behavior of Jenkins is necessary.
- HTML intended, does not contain user content
-
This is safe to use, but will need to be adapted to the new behavior of Jenkins, otherwise the UI will render escaped HTML tags. Define a custom
description.jelly
file that renders HTML, and return plain text content from#getShortDescription
. - No HTML intended, contains user content
-
This is likely unsafe in older Jenkins releases if users are able to inject HTML. Please report this to the Jenkins security team.
- HTML intended, contains user content
-
This may or may not be safe in older Jenkins releases, depending on whether user content is specifically escaped. Define a custom
description.jelly
file that renders HTML, and return plain text content from#getShortDescription
. Be mindful of user content rendered as part of#getShortDescription
intending to be plain text, but which would still be rendered as HTML in Jenkins 2.314 and earlier, 2.303.1 and earlier.